Microsoft to Push Out IE 7 This Month

Last week, Security Fix mentioned that Microsoft intends to ship 11 patches tomorrow, including a "high-priority update." According to a post on the company's IE blog, that high-priority update could be IE7, a long overdue upgrade to IE 6 that includes new security features and other enhancements that most other Web browsers have long possessed. A Microsoft spokesperson declined to say whether IE7 would be released tomorrow, saying only that it would be released sometime this month.

IE 7 includes tabbed browsing, built in RSS feeds, as well as tools to help users spot phishing Web sites that mimic banks and trusted e-commerce companies to steal personal and financial data. The new IE also shores up some weaknesses in ActiveX, a feature designed to help Web sites load interactive content (ActiveX has been abused with such abandon by spyware purveyors to install their junk programs that some security researchers have taken to calling it "HacktiveX").

However, one of IE 7's most useful security features, a protected mode -- billed as a "containment wall" to prevent the browser from installing software or changing computer settings without the user's consent -- will not be available for XP users. That feature will be reserved for users who upgrade to Windows Vista, the next version of the operating system, due in January.

It will be interesting to see whether this upgrade for Windows will further increase Microsoft's market share in the ongoing browser wars. According to numbers released today by Amsterdam-based Web analytics firm OneStat.com, the total global usage share of IE increased 2.8 percent since July 2006, bringing Microsoft's share of the browser market worldwide to nearly 86 percent. The company says Mozilla Firefox's browsers have a total global usage share of 11.49 percent, a decrease of 1.44 percent since July 2006. In the United States, the IE/Firefox ratio is roughly 80 percent to 15 percent, according to OneStat.

Update, 1:14 p.m. ET: The above post was changed to say IE7 would be released this month. Microsoft declined to confirm whether it would release IE tomorrow as part of its patch process, only to say that it planned the release sometime this month.

Interesting that MS is deliberately screwing XP users with the "containment wall" business. That's a desperately needed function that would probably do as much to stop malware as all the other "upgrades" combined.

"a protected mode -- billed as a "containment wall" to prevent the browser from installing software or changing computer settings without the user's consent -- will not be available for XP users"

Not quite.

Users should already be logged in with user accounts that do not have administrator privilege (aka Limited User Accounts), so the browser, or any other application, can't install rogue applications or change system settings.

However, if someone is dumb enough to "surf the net" with a user account that has administrator privilege, they should be using "SAFER Policies". The SAFER Policies can easily be setup on Windows XP (Home or Pro) and provide "containment wall" security, for IE (or any other application) by running the application under Limited User (aka non-administrator) privilege.

Brian, FYI, onestat.com is blocked on my HOSTS file (I use the one from MVPS). It's also on the blocklists from IE-Spyad and Ewido. Onestat.com is considered a threat site because of adware tracking cookies.

The web browser market share stats may not be accounting for those who are using both I.E. and Firefox. I use Firefox as my main browser. I have to use I.E. for my company intranet and Outlook Web Access (they only work properly with I.E.).

"Interesting that MS is deliberately screwing XP users with the "containment wall" business. That's a desperately needed function that would probably do as much to stop malware as all the other "upgrades" combined."

Wow, you really don't know what you are talking about.

The IE7 "Protected Mode" feature uses changes in Vista's access controls (namely the addition of the "Integrity Level" token as part of the UAC project) to run Internet Explorer as two levels of processes. Most of the dangerous rendering, Javascript and AX stuff is pushed into the process running as the "Low" Integrity Level, which makes it difficult for IE malware to do much even if the user is running as Administrator.

This is a fundamental part of Vista and not something that can be stapled onto XP via an IE update.

It should be noted that no other browsers on any platform can do something like this, since most OS platforms do not have a programmatic way to spawn low-rights processes within the same user context.

As a linux, mac, and MS user I would have to say that any program that required you to run as root or Admin to use it properly is flawed in the deepest way. I develop aps for MS platform and spend a great deal of time getting them to work as needed with out needing admin privlages. This is how it should be, the coder(s) need to spend the time to get it working the RIGHT way not the fast way. I feel you pain for having to run a user level program as an admin because the programmers did not spend the time on the front end. There are other security concerns with MS software but 3rd party programs forcing people to run as admin to use thier product is one of the biggest.
--KJB

I can understand why firefox currently doesn't have the 'two process model' already though, as it is intended to be cross-platform. The logic there is that the operating system itself should be advanced enough to run different programs/modules in different levels of access control while logged in as a different user (like many unix/linux based systems have been able to do for years), not just certain programs.
It will be nice to see if Vista can *FINALLY* be the version of windows to have the userland it should have had in 95.

In any case, i'm sure someone will create a jury rigged version of firefox to work with windows' userland access controls before long...

Brian, I know these stats can vary depending on how they're collected, but apparently it's not universally agreed that IE has stopped losing market share to other browsers. Net Applications is reporting that IE continues to slip, while FireFox and Safari gain. Here's the Oct. 4 story:

For the third consecutive month, Mozilla Corp.'s Firefox has posted a half a percentage point or more gain in market share, a Web metrics company said Wednesday. Meanwhile, Microsoft's Internet Explorer's still-commanding lead has slipped slightly.

Firefox accounted for 12.5 percent of September's global browser market, said Aliso Viejo, Calif.'s Net Applications. That's an increase from August's 11.8 percent, which was up from the 11.3 percent in July. Internet Explorer's share slipped to 82.1 percent in September, down from August's 83 percent.

Also making gains was Apple Computer's Safari browser, which by the end of September was up from 3.2 percent to 3.5 percent. Safari's September numbers were its highest since April.

"Internet Explorer continues to lose market share with Firefox and Safari showing a steady increase over the past 9 months," said Net Applications in a statement.

I'm a dual browser user. For personal use, I prefer to use Firefox but like many have to use IE for work related sites.
Browser (well any application actually) protection with a protected space has been available in Linux for a while through a feature called AppArmour. Even my Open Office is protected from malicious macros 8) For rendering RSS feeds and mail with html I use a browser with no plugins configured and scripting disabled.

@owen
If you have to use an account with administrator privilege, that's fine, just use SAFER Policies.

@AI
The SAFER Policies allow you to run a "two process model". For applications where I need to use an account with administrator privilege, and still safely access the Internet, I run IE, Outlook, etc. with SAFER Policies. The SAFER Policies restrict those applications to "Limited User" privilege. So, for IE and Outlook, this means that even though the user account has administrator privilege, IE and Outlook run with Limited User privilege, so IE and Outlook can't install applications (i.e. ActiveX, toolbars, malware, etc.), change system settings, etc.

Most of the basic security in Vista (i.e. Limited User privilege restriction), is available in Windows XP today!! People just need to learn how to setup and configure their Windows XP systems.

Safer, although that is the right idea, getting admin privilages on most windows machines is too easy. For example type "at 9:45 /interactive cmd.exe" into your command window wher 9:45 is one minute from the current time. When the minute changes over you'll have a command window running with SYSTEM privilages, which means every thing you launch from that window will also have those privilages.

"We wanted to give you guys one last chat session before we ship IE. So if you can, you should join us for the chat this Thursday, October 12th at 10.00AM PDT (5.00GMT) otherwise you can catch all the action in the transcript.

AI wrote:
"... most OS platforms do not have a programmatic way to spawn low-rights processes within the same user context."

I don't know which platforms you had in mind, but a Unix or Linux process certainly _can_ create a child process with lower "rights" than the parent. The child inherits (under the parent's control) its context, including environment, resource limits, working directory, and so on. That is how every "user-land" process gets created in the first place.

For example, the 'login' program runs with "super-user" privileges, but it creates the user's login process with lesser privileges. (In login's case it also changes the real and effective user IDs.)

A little more clarification: The blog post says that IE "will be delivered to customers via Automatic Updates a few weeks after it's available for download". So it's a least a few weeks away from being an Automatic Update.

Ken L., Goodluck using IE7 for OWA. It doesn't take kindly to it and thinks that it is an unsafe site. That is unless you make some changes to the settings. Interesting since they are both from the same company.

"For example type "at 9:45 /interactive cmd.exe" into your command window wher 9:45 is one minute from the current time. When the minute changes over you'll have a command window running with SYSTEM privilages, which means every thing you launch from that window will also have those privilages."

This only works if you are already an admin, which means you have no need to elevate to SYSTEM. You already have SYSTEM access.

"However, one of IE 7's most useful security features, a protected mode -- billed as a "containment wall" to prevent the browser from installing software or changing computer settings without the user's consent -- will not be available for XP users. That feature will be reserved for users who upgrade to Windows Vista, the next version of the operating system, due in January."

OK, think I have this logic figured out.

Nobody is getting what they want, but they are waiting for it to come, so they can wish for what they don't have.

/quote/ Ken L., Goodluck using IE7 for OWA. It doesn't take kindly to it and thinks that it is an unsafe site. That is unless you make some changes to the settings. Interesting since they are both from the same company.

m - interesting i have had not issues with owa - netgear routers though were a pain for the first few betas - vista rc2 and that works too - so suspect things will be much better in final code

@Adam K: kick your administrators. There have been updates to OWA to support IE 7 and Vista. They should already be running Exchange Server 2003 SP2 (Exchange 2000 Server came out of mainstream support at the end of last year, and 2003 SP1 ends on 9 January 2007). The update is KB911829 (http://support.microsoft.com/kb/911829) and applies to all releases of Exchange Server 2003 and to Exchange 2000 SP3.

If you get the "There is a problem with this website's security certificate" message, your administrators need to either: get a certificate based on a trusted certification authority, install their private CA certificate into your root certificate store, get a new certificate from the CA if it's expired, check your clock, or tell you the correct address to use so it matches the certificate.

Wow, nice headline. Pushing out a new release of IE in (what possibly could be)automatic upates is a **HUGE** event. As it turns out, this was just another headline to grab attention and based on nothing more than idle rumor. Nice going Washington Post

IE 7 is fast. But, it all feels different, minimalistic. I used to have tool bars with Hotmail and such, now they are missing. I live in my browswer, I want the old interface. The interface isn't the security issue. Microsoft,GIVE US BACK our tool bars and buttons!

The headline is right... Microsoft sent me a warning letter that in a couple weeks they will push the IE package down the update pipeline. And, if we didn't want it, we would have to install a blocker at work. What if we didn't read the email! 60 users calling me, the tech guy, on 'where are their buttons?!" GOSH.